npm - @node-core/utils - Versions diffs - 5.14.1 → 5.15.0 - Mend

@node-core/utils 5.14.1 → 5.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +12 -2
package/bin/ncu-ci.js +11 -2
package/lib/config.js +10 -0
package/lib/security-announcement.js +17 -3
package/lib/security-release/security-release.js +7 -0
package/lib/security_blog.js +29 -3
package/lib/update_security_release.js +17 -6
package/lib/voting_session.js +1 -0
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -89,6 +89,14 @@ After the token is generated, create an rc file with the following content:
 Note: you could use `ncu-config` to configure these variables, but it's not
 recommended to leave your tokens in your command line history.
+If you have `gpg` installed and setup on your local machine, it is recommended
+to store an encrypted version of this file:
+```console
+$ gpg --default-recipient-self --encrypt ~/.ncurc
+$ rm ~/.ncurc
+```
 ### Setting up Jenkins credentials
 The `git-node` and `ncu-ci` commands need to query the Node.js Jenkins API for
@@ -104,8 +112,9 @@ To obtain the Jenkins API token
 3. Enter an identifiable name (for example, `node-core-utils`) for this
    token in the inbox that appears, and click `GENERATE`.
 4. Copy the generated token.
-5. Add it into your `ncurc` file (`~/.ncurc` or `$XDG_CONFIG_HOME/ncurc`)
-   with `jenkins_token` as key, like this:
+5. Add it into your `ncurc` file (`~/.ncurc` or `$XDG_CONFIG_HOME/ncurc`, or
+   `~/.ncurc.gpg` or `$XDG_CONFIG_HOME/ncurc.gpg`) with `jenkins_token` as key,
+   like this:
    ```json
    {
@@ -125,6 +134,7 @@ Put the following entries into your
 ```
 # node-core-utils configuration file
 .ncurc
+.ncurc.gpg
 # node-core-utils working directory
 .ncu
 ```

package/bin/ncu-ci.js CHANGED Viewed

@@ -111,8 +111,8 @@ const args = yargs(hideBin(process.argv))
     builder: (yargs) => {
       yargs
         .positional('prid', {
-          describe: 'ID of the PR',
-          type: 'number'
+          describe: 'ID of the PR or URL to the PR or its head commit',
+          type: 'string'
         })
         .option('certify-safe', {
           describe: 'SHA of the commit that is expected to be at the tip of the PR head. ' +
@@ -574,6 +574,15 @@ async function main(command, argv) {
   // Prepare queue.
   switch (command) {
     case 'run': {
+      const maybeURL = URL.parse(argv.prid);
+      if (maybeURL?.host === 'github.com') {
+        const [, owner, repo, , prid, , commit_sha] = maybeURL.pathname.split('/');
+        argv.owner ||= owner;
+        argv.repo ||= repo;
+        argv.certifySafe ||= commit_sha;
+        argv.prid = prid;
+      }
+      argv.prid = Number(argv.prid);
       const jobRunner = new RunPRJobCommand(cli, request, argv);
       return jobRunner.start();
     }

package/lib/config.js CHANGED Viewed

@@ -2,6 +2,8 @@ import path from 'node:path';
 import os from 'node:os';
 import { readJson, writeJson } from './file.js';
+import { existsSync } from 'node:fs';
+import { spawnSync } from 'node:child_process';
 export const GLOBAL_CONFIG = Symbol('globalConfig');
 export const PROJECT_CONFIG = Symbol('projectConfig');
@@ -25,6 +27,14 @@ export function getMergedConfig(dir, home) {
 export function getConfig(configType, dir) {
   const configPath = getConfigPath(configType, dir);
+  const encryptedConfigPath = configPath + '.gpg';
+  if (existsSync(encryptedConfigPath)) {
+    const { status, stdout } =
+      spawnSync('gpg', ['--decrypt', encryptedConfigPath]);
+    if (status === 0) {
+      return JSON.parse(stdout.toString('utf-8'));
+    }
+  }
   try {
     return readJson(configPath);
   } catch (cause) {

package/lib/security-announcement.js CHANGED Viewed

@@ -1,9 +1,12 @@
+import fs from 'node:fs';
 import {
   NEXT_SECURITY_RELEASE_REPOSITORY,
   checkoutOnSecurityReleaseBranch,
   getVulnerabilitiesJSON,
+  getVulnerabilitiesJSONPath,
   validateDate,
   formatDateToYYYYMMDD,
+  commitAndPushVulnerabilitiesJSON,
   createIssue
 } from './security-release/security-release.js';
 import auth from './auth.js';
@@ -40,10 +43,21 @@ export default class SecurityAnnouncement {
     validateDate(content.releaseDate);
     const releaseDate = new Date(content.releaseDate);
-    await Promise.all([
+    const [dockerIssue, buildIssue] = await Promise.all([
       this.createDockerNodeIssue(releaseDate),
       this.createBuildWGIssue(releaseDate)
     ]);
+    content.buildIssue = buildIssue;
+    content.dockerIssue = dockerIssue;
+    const vulnerabilitiesJSONPath = getVulnerabilitiesJSONPath();
+    fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+    const commitMessage = 'chore: add build and docker issue link';
+    commitAndPushVulnerabilitiesJSON([vulnerabilitiesJSONPath],
+      commitMessage, { cli: this.cli, repository: this.repository });
+    this.cli.ok('Added docker and build issue in vulnerabilities.json');
   }
   async createBuildWGIssue(releaseDate) {
@@ -53,7 +67,7 @@ export default class SecurityAnnouncement {
     };
     const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'build');
-    await createIssue(title, content, repository, { cli: this.cli, req: this.req });
+    return createIssue(title, content, repository, { cli: this.cli, req: this.req });
   }
   createPreleaseAnnouncementIssue(releaseDate, team) {
@@ -71,6 +85,6 @@ export default class SecurityAnnouncement {
     };
     const { title, content } = this.createPreleaseAnnouncementIssue(releaseDate, 'docker');
-    await createIssue(title, content, repository, { cli: this.cli, req: this.req });
+    return createIssue(title, content, repository, { cli: this.cli, req: this.req });
   }
 }

package/lib/security-release/security-release.js CHANGED Viewed

@@ -107,6 +107,12 @@ export function getVulnerabilitiesJSON(cli) {
   return file;
 }
+export function getVulnerabilitiesJSONPath() {
+  const vulnerabilitiesJSONPath = path.join(process.cwd(),
+    NEXT_SECURITY_RELEASE_FOLDER, 'vulnerabilities.json');
+  return vulnerabilitiesJSONPath;
+}
 export function validateDate(releaseDate) {
   const value = new Date(releaseDate).valueOf();
   if (Number.isNaN(value) || value < 0) {
@@ -135,6 +141,7 @@ export async function createIssue(title, content, repository, { cli, req }) {
   const data = await req.createIssue(title, content, repository);
   if (data.html_url) {
     cli.ok(`Created: ${data.html_url}`);
+    return data.html_url;
   } else {
     cli.error(data);
     process.exit(1);

package/lib/security_blog.js CHANGED Viewed

@@ -6,7 +6,8 @@ import {
   PLACEHOLDERS,
   checkoutOnSecurityReleaseBranch,
   validateDate,
-  SecurityRelease
+  SecurityRelease,
+  commitAndPushVulnerabilitiesJSON,
 } from './security-release/security-release.js';
 import auth from './auth.js';
 import Request from './request.js';
@@ -56,16 +57,41 @@ export default class SecurityBlog extends SecurityRelease {
     const endDate = new Date(data.annoucementDate);
     endDate.setDate(endDate.getDate() + 7);
+    const link = `https://nodejs.org/en/blog/vulnerability/${fileName}`;
     this.updateWebsiteBanner(site, {
       startDate: data.annoucementDate,
       endDate: endDate.toISOString(),
       text: `New security releases to be made available ${data.releaseDate}`,
-      link: `https://nodejs.org/en/blog/vulnerability/${fileName}`,
+      link,
       type: 'warning'
     });
     fs.writeFileSync(file, preRelease);
     cli.ok(`Announcement file created and banner has been updated. Folder: ${nodejsOrgFolder}`);
+    await this.updateAnnouncementLink(link);
+  }
+  async updateAnnouncementLink(link) {
+    const vulnerabilitiesJSONPath = this.getVulnerabilitiesJSONPath();
+    const content = this.readVulnerabilitiesJSON(vulnerabilitiesJSONPath);
+    let shouldCommit = false;
+    for (let i = 0; i < content.reports.length; ++i) {
+      if (content.reports[i].announcement !== link) {
+        content.reports[i].announcement = link;
+        shouldCommit = true;
+      }
+    };
+    if (shouldCommit) {
+      fs.writeFileSync(vulnerabilitiesJSONPath, JSON.stringify(content, null, 2));
+      const commitMessage = 'chore: add announcement link';
+      commitAndPushVulnerabilitiesJSON([vulnerabilitiesJSONPath],
+        commitMessage, { cli: this.cli, repository: this.repository });
+      this.cli.ok('Updated the announcement link in vulnerabilities.json');
+    }
+    return [vulnerabilitiesJSONPath];
   }
   async createPostRelease(nodejsOrgFolder) {

package/lib/update_security_release.js CHANGED Viewed

@@ -152,6 +152,7 @@ export default class UpdateSecurityRelease extends SecurityRelease {
     for (const cve of cves) {
       const report = reports.find(report => report.id === cve.reportId);
       report.cveIds = [cve.cve_identifier];
+      report.patchedVersions = cve.patchedVersions;
     }
   }
@@ -219,12 +220,14 @@ Summary: ${summary}\n`,
       if (!create) continue;
+      const { h1AffectedVersions, patchedVersions } =
+        await this.calculateVersions(affectedVersions, supportedVersions);
       const body = {
         data: {
           type: 'cve-request',
           attributes: {
             team_handle: 'nodejs-team',
-            versions: await this.formatAffected(affectedVersions, supportedVersions),
+            versions: h1AffectedVersions,
             metrics: [
               {
                 vectorString: cvss_vector_string
@@ -246,7 +249,7 @@ Summary: ${summary}\n`,
         continue;
       }
       const { cve_identifier } = data.attributes;
-      cves.push({ cve_identifier, reportId: id });
+      cves.push({ cve_identifier, reportId: id, patchedVersions });
     }
     return cves;
   }
@@ -262,15 +265,23 @@ Summary: ${summary}\n`,
     }
   }
-  async formatAffected(affectedVersions, supportedVersions) {
-    const result = [];
+  async calculateVersions(affectedVersions, supportedVersions) {
+    const h1AffectedVersions = [];
+    const patchedVersions = [];
     for (const affectedVersion of affectedVersions) {
       const major = affectedVersion.split('.')[0];
       const latest = supportedVersions.find((v) => v.major === Number(major)).version;
       const version = await this.cli.prompt(
         `What is the affected version (<=) for release line ${affectedVersion}?`,
         { questionType: 'input', defaultAnswer: latest });
-      result.push({
+      const nextPatchVersion = parseInt(version.split('.')[2]) + 1;
+      const patchedVersion = await this.cli.prompt(
+        `What is the patched version (>=) for release line ${affectedVersion}?`,
+        { questionType: 'input', defaultAnswer: nextPatchVersion });
+      patchedVersions.push(patchedVersion);
+      h1AffectedVersions.push({
         vendor: 'nodejs',
         product: 'node',
         func: '<=',
@@ -279,6 +290,6 @@ Summary: ${summary}\n`,
         affected: true
       });
     }
-    return result;
+    return { h1AffectedVersions, patchedVersions };
   }
 }

package/lib/voting_session.js CHANGED Viewed

@@ -29,6 +29,7 @@ export default class VotingSession extends Session {
     this.abstain = abstain;
     this.closeVote = argv['decrypt-key-part'];
     this.postComment = argv['post-comment'];
+    this.gpgSign = argv['gpg-sign'];
   }
   get argv() {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@node-core/utils",
-  "version": "5.14.1",
+  "version": "5.15.0",
   "description": "Utilities for Node.js core collaborators",
   "type": "module",
   "engines": {
@@ -68,6 +68,6 @@
     "eslint-plugin-promise": "^7.2.1",
     "globals": "^16.0.0",
     "neostandard": "^0.12.1",
-    "sinon": "^20.0.0"
+    "sinon": "^21.0.0"
   }
 }